Fix the upper level dir traversal error.

vercel · Jun 1, 2017 · cb939b5 · cb939b5
1 parent c483741
commit cb939b5
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/lib/server.js b/lib/server.js
@@ -61,22 +61,28 @@ module.exports = coroutine(function*(req, res, flags, current, ignoredFiles) {
   const assetDir = path.normalize(process.env.ASSET_DIR)
 
   let related = path.parse(path.join(current, pathname))
+  let assetRequest = false
 
   if (related.dir.indexOf(assetDir) > -1) {
+    assetRequest = true
     const relative = path.relative(assetDir, pathname)
     related = path.parse(path.join(__dirname, '/../assets', relative))
   }
 
   related = decodeURIComponent(path.format(related))
 
-  const relatedExists = yield fs.exists(related)
   let notFoundResponse = 'Not Found'
 
   try {
     const custom404Path = path.join(current, '/404.html')
     notFoundResponse = yield fs.readFile(custom404Path, 'utf-8')
   } catch (err) {}
 
+  if (!assetRequest && related.indexOf(current) !== 0) {
+    return micro.send(res, 404, notFoundResponse)
+  }
+
+  const relatedExists = yield fs.exists(related)
   if (!relatedExists && flags.single === undefined) {
     return micro.send(res, 404, notFoundResponse)
   }